Information Security News mailing list archives
When laptops 'walk away,' company secrets go, too
From: InfoSec News <isn () C4I ORG>
Date: Thu, 15 Mar 2001 00:55:30 -0600
http://www.usatoday.com/life/cyber/tech/2001-03-13-walking-laptops.htm By Salina Khan USA TODAY 03/13/2001 Companies are discovering that a traveler's stolen laptop is more than an inconvenience it's a dangerous security risk. Security experts say most companies aren't doing enough to protect laptops and the data stored on them against theft. About 70% of companies don't have policies on security and the use of laptops while traveling, according to an informal October survey by TechRepublic, an online site for information technology professionals. "A lot of people don't create a laptop policy until they have a laptop walk out the door," says Bob Artner, TechRepublic's vice president of content development. The costs can be large. The number of laptops reported lost or stolen rose more than 20% last year to 387,000, according to Safeware, The Insurance Agency. Assuming an average cost of $2,000 on the low side for a good laptop that puts the replacement cost at close to $775 million. A company with 10,000 mobile workers spends $7 million a year on lost, missing or broken laptops, according to the Meta Group in Stamford, Conn. Harder to measure and more troublesome is the loss of corporate secrets and other sensitive information that may have fallen into the wrong hands. "I know of some (thefts of executives' laptops) that would make your blood curdle, especially if you were investing in their companies," says Ravi Hariprasad, CEO of Lucira Technologies, a laptop security software provider in Boston. Qualcomm CEO Irwin Jacobs has not recovered his IBM ThinkPad, 6 months after it was stolen from the stage of a meeting room where he was addressing a journalists' conference. According to press reports at the time, the laptop was stocked with confidential information. Qualcomm would not comment for this article on its laptop security policy before or since the incident. Security experts say the value of information that's being stored on laptops from documents and e-mails to direct links into corporate computer networks is underappreciated. Security breeches often occur because companies do not enforce the laptop security policies that they have, says Julie Lucas, director of infrastructure technology at GlobalNetwork Technology Services in Boston. "They'd rather put their head in the sand like an ostrich and think it's never going to happen to them," Lucas says. Cooley Godward, a law firm in Palo Alto, Calif., says it didn't regularly follow its laptop security procedures until an employee was caught stealing 200 laptops several years ago. Security has become a higher priority for the company since then. Cooley Godward now recommends employees use cables to lock their laptops to their desks. It records the serial numbers of laptops before issuing them, and the firm holds brown bag lunches with employees to discuss security issues. It is considering requiring employees to periodically change the passwords for their laptops. "We are strictly adhering to procedures that were then in place that are adding tighter guidelines," says Cooley Godward spokesman Patrick Bustamante. To protect against theft, companies should "have a culture of highly valuing information," suggests Kevin Coleman, a partner in KPMG's Information Risk Management practice. He says companies should create a hierarchy of data and prohibit employees from saving more sensitive information on their laptops. "If organizations don't have a classification system, it's difficult for employees to know what data is important and what is not," Coleman says. He recommends companies also conduct routine inventories and have their technology departments scan information stored on laptops to determine if they have sensitive information on them. Companies increasingly are making use of technological tools to help keep laptops safe. From 25% to 35% of companies are using hardware or software devices to protect their mobile devices, but in an "irregular and haphazard way," according to the Meta Group. Nearly three-quarters of companies are expected to improve their management of laptops and information stored on them by 2004. Among the steps being taken: * Encryption. Cooley Godward is considering installing software that would make sensitive documents stored on laptops unreadable to anyone without a correct password. Bill Spernow of Gartner in Stamford, Conn., says encryption software is gaining popularity but sometimes makes it difficult for company administrators to open and read the encrypted documents. * Virtual Private Networks (VPNs). More companies allow their employees to access their main computer system from laptops using an Internet connection. To protect data and passwords from being stolen during transmission, companies are installing VPNs. They let a company's employees work as if they're in private areas of the Internet where other Internet users should not be able to enter. The IDC of Framingham, Mass., estimates companies will spend $5 billion on VPNs in 2003, up from $700 million in 1999. * Laptop locators. Lucira Technologies is one company that offers software to track stolen laptops once they have been used to connect to the Internet. Lucira's software forces the laptop's modem to dial to Lucira's office. The company can find the location of the laptop by matching the phone number being used with its database of phone numbers, addresses and maps. It will notify local law enforcement officials if asked. Lucira is introducing software this year that will also let its users destroy or retrieve information stored on stolen laptops once the thief connects to the Internet. While security tools are gaining in popularity, experts say they are useless without appropriate employee training and awareness. That's why laptop security provider PentaSafe Security Technologies in Houston introduced software in December that monitors whether an employee has read security updates in e-mail or on intranets and quizzes their security knowledge. "You need to provide education like you did about sexual harassment in the '80s," says Steve Kahan, executive vice president at PentaSafe. "The people side of security is the missing link that is now getting attention." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- When laptops 'walk away,' company secrets go, too InfoSec News (Mar 14)